The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of #Cybersecurity controls.

The 153 #Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and #SecureIT.

Safeguard 2.2 is one that while it is common sense, has to be in writing. Ensuring that authorized software is currently supported is critical as application #zerodayvulnerabilities for outdated software is well documented and is used as a method to access your network and data.

2.2 calls that only currently supported software is used and stored in the software inventory (2.1). If software is unsupported, but is required for the business then an exception detailing mitigating controls and risk acceptance must be documented (for those still running those legacy applications). Without that documentation it must be inventoried as unauthorized. Software Support should be checked at least monthly, or more frequently.

In reality as long as the application is the current version it's supported and assumed the most secure version available. Not saying to install every update on day 1, but updates that disclose a zeroday vulnerability should be reviewed and escalated for deployment.

Remember 2.2 is requiring that you ensure the software is currently supported, even some old versions are supported typically for a couple of years after release. Windows 10 is still supported by Microsoft until 2025. Intuit QuickBooks Desktop 2020 actually just ended its support period on May 31, 2023.

So while when you initially look at 2.2, you can think how am I going to check this off. It's just making sure you know what is installed and supported in regards to the authorized software in use across your assets.

Of course your best practice should be to always ensure all software is patched and updated, including the Operating System, applications, and mobile apps.

Continue to follow the #CyberEducationMonth tag and learn other Educational Tips and Tricks on keeping your network and data secure.

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-cybersecurity-safeguards-activity-7069718527959552001-oKYh?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The 153 Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and SecureIT.

We begin our review of CIS Control 2.x which covers the #Inventory and #Control of #Software Assets. Every organization should actively manage (inventory, track, and correct) all software (Operating Systems and Applications) on the network so that only authorized software is installed and can execute.

Not much has changed in 20 years, employees will go out and find a software title that resolves an issue or streamlines a process for themselves and install it. It could be the traditional WinZip application or a Photo Editor. It also could be their favorite game or within the Modern Workspace, if the workstation is shared with a family member a tool for their school, work, or play.

What has changed is more of the software titles in use today are web-based, but there are still more then enough downloading and installing for this to be a concern.

Safeguard 2.1 requires you to establish and maintain a software inventory. It must include at least the title, publisher, initial install/use date, business purpose for each entry, the URL, App Store(s), version(s), deployment mechanism, and the decommission date. It requires review and update of the inventory at least bi-annually.

How many times have you installed and removed an application the same day or a week later? Let's be real this is a challenge to complete without some sort of automated tool. That tool has to have privileges on the computer that will allow it to even query and report on the list.

The easiest way to check this off is the use of a Remote Monitoring and Management (RMM) Tool or Microsoft Intune as they will provide you a current software listing that you can maintain. The issue here comes into the fact that most RMM tools only retain records for up to 90 days, and even then you may have challenges looking back in time if you have to recall past records.

To check this box you can maintain the classic spreadsheet and manually review your systems no less than twice a year.

Remember you need to do this for all assets from Safeguard 1.1, so that includes all end-user devices, network devices, IoT devices, and servers.

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-cybersecurity-safeguards-activity-7069718527959552001-oKYh?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The 153 #Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and #SecureIT.

Wrapping up Control 1 with Safeguard 1.5 which is only required for Implementation Group 3 (#IG3), which calls for the use of a passive asset discovery tool. The passive tool needs to identify assets connected to the network, which should be reviewed at least weekly.

If we go back to Safeguard 1.3, it called for an Active Discovery Tool to identify assets connected to the network. It's important to note that an active scanner directly interacts with endpoints by querying them with test traffic packets and reviewing each response to find vulnerabilities.

Safeguard 1.5 is now looking for a Passive Discovery Tool to do the same. Passive scanners “silently” glean network data to detect weaknesses without actively interacting with endpoints.

It's important to note that to be IG3 certified you will need both the processes and tools in place to do both the Active and Passive Discovery.

The bottom line is your inventory is step 1 and is critical for data and cybersecurity frameworks. "You can't protect what you don't know" (Scott Davis). The inventory is the foundation to your knowledge.

So ensure you are looking at your asset inventory including end user devices, network devices, IoT devices, servers, and any other asset that can store or process data. Understand what types of data may be found on the asset and why its wherever its needed.

Knowing your inventory, means you are already steps ahead nefarious actors that are trying to find a way into your network and data.

Next we will review Control 2, which is you guessed it Inventory and Control of Software Assets. Yup, more inventorying.

Need help getting started with your Policy?  Download a Asset Management Template here!

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-safeguards-secureit-activity-7069349248886038528--x2R?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The 153 #Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and #SecureIT.

Safeguard 1.4 is only required for IG2 and IG3, which is using #DHCP (Dynamic Host Configuration Protocol) logging to update Asset Inventory.

We've talked about using an Active Discovery Tool that scans the network (1.3), blocking and removing unauthorized assets (1.2), and of course why we have to maintain an accurate documented inventory of these assets (1.1).

The default DHCP time for Windows Servers is 8 days, which the computer will renew the lease automatically and get a new IP address.

Within your network, the average user today is using 4 IP addresses (VoIP phone, Computer, Smart Phone, Tablet, Watch, IoT devices like smart picture frames, or a second computer). When a Class C network allowing a possible of 256 local devices, not counting the corporate devices like servers, network equipment, and printers.

That means on average you can staff roughly 60 employees on a Class C network if it's flat and not VLANd out. Using Class A or B networks with subnetting should really be best practice - but that's for another post.

Safeguard 1.4 calls on DHCP logging to be used and reviewed at least weekly. If you are using the default 8 day lease then you likely can just build in a weekly review of the DHCP.

But for compliance purposes you want to maintain logs. The operational log (Microsoft-Windows-Dhcp-Client%4Operational.evtx) contains the full log of each lease. NOTE: This log is typically disabled by default.

In writing your policy you want to ensure that you are maintaining logs for I would say at minimum a year (typically compliance audit review period) and the policy states the review period and includes a link to the list showing when it was checked, who checked it, and if any new devices were added to inventory.

Remember your asset inventory includes any assets with the potential to store or process data including end user devices, network devices, IoT devices, and servers.

Need help getting started with your Policy?  Download a Asset Management Template here!

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-safeguards-secureit-activity-7069349248886038528--x2R?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The 153 Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and SecureIT.

We've looked at Safeguards 1.1 and 1.2 on establishing a detailed asset inventory and how to address unauthorized assets. Both 1.1 and 1.2 are required for every Implementation Group.

Safeguard 1.3 is only required for IG2 and IG3, which is utilizing an Active Discovery Tool. This is a tool that can identify assets connected to the network. The tool must be configured to execute at least daily, or more frequently.

This is the requirement for a script, application, or other tool that will automatically scan and identify assets connected to the network. Tools that I mentioned previously like Liongard, or your Remote Monitoring Management tool likely have a probe or inspector that will automatically scan the network for new assets.

Other tools like ManageEngine OpManager, Atera, Paessler AG's PRTG, Netwrix Corporation Auditor, and Kaseya's RapidFire Tools Network Detective Pro are some other tools that have features that can help you check off this safeguard checkmark.

Even if you're not looking at meeting IG2 or IG3 standards, this is a best practice and a tool you should have.

The reason you need to have an active discovery tool is how easy it is to get someone to plug in an unknown asset. It could be someone plugging in a home picture frame (IoT device), Raspberry Pi, or a personal computer. Those are all innocent behaviors that the employee just didn't understand the risk.

It's the open network ports, ports behind televisions, the open WiFi, posted WiFi password on the wall, or even the ex-employee who remembers the password. It's the nefarious actor who delivers Pizza to get by reception only to plug in a device that he will wirelessly access from outside.

Without an active discovery tool running you'll never know. When you don't have the tools to scan for it, you can't protect the data or your network.

Also scan more often than once a day, I can connect a computer, run scripts, explore the network and be out in under an hour. If you only scan once a day, you may never know I just downloaded all of your client data.

Need help getting started with your Policy?  Download a Asset Management Template here!

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-safeguards-secureit-activity-7067884632142139392-DJTn?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The 153 Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and SecureIT.

Yesterday we reviewed Safeguard 1.1 on establishing a detailed asset inventory, today let's review 1.2 "Addressing Unauthorized Assets".

For all 3 Implementation Groups, we need to ensure that a process exists to address unauthorized assets on at minimum a weekly basis. You can choose to remove the asset from the network, deny the asset from connecting remotely, or quarantine it.

Shadow IT assets or those assets that are unknown pose serious risks to your network security and data security.

This is the first safeguard that is a documented process. As long as you are maintaining a log of manual weekly review of DHCP leases you probably can check this off. But manual processes equate to likely mistakes or missing something.

First, I would ensure that any live network jacks are disabled if they are not being used. Second, ensure only work owned devices are permitted access to the wireless corporate networks (any personal devices should always access the guest network). If you have every MAC address documented you could maintain a whitelist of MAC address's allowed on the network.

I've also seen Liongard's Network Discovery inspector used to scan the network every 8 hours and notify when a change occurs. Enterprise network infrastructure like switches and firewalls also may have discovery tools to help identify Shadow IT assets.

Once you know and have the process of identifying when new devices are connected then you identify if it's removed, denied, or quarantined. If you're doing MAC address filtering at the infrastructure level you build that into the policy where if it's not one of these addresses, it's denied access. If you're doing it manually then it's how you locate and remove the asset is what you need to document.

Need help getting started with your Policy?  Download a Asset Management Template here!

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-safeguards-secureit-activity-7067523468942008320-M8QS?utm_source=share&utm_medium=member_desktop 

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The 153 Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and SecureIT.

CIS Control 1 is Inventory and Control of your assets, so it makes sense that Safeguard 1.1 is "Establish and Maintain a Detailed Asset Inventory".

This is calling for you to maintain a current inventory of all of your assets that have the potential to store or process data. So that includes endpoints, network devices, IoT devices, servers, hard drives, usb devices, and in some cases even backup storage devices or drives.

You should maintain at minimum the hardware address, machine name, owner, operating system, and what type of data does the user have access to. I would assume that any asset can be used within the network as well as outside the network with today's modern workspace.

You know what you have to store, but how you store it is also critical. There are tools like Hudu, IT Glue, Confluence, Microsoft Sharepoint, ManageEngine's AssetExplorer, and other documentation tools that allow you to manually manage this. Integrations and tools like Liongard or your Remote Monitoring and Management (RMM) tools can automate some of the inventory pieces as well, but you have to have a solution that allows for the manual entry of devices to meet this compliance piece.

You want to automate what you can, because manual documentation will be outdated and no matter how good the techs are, it's never going to be updated right away.

If you don't have access to any of the above tools you can utilize a shared Microsoft Excel or Google Sheets to list your objects in a spreadsheet format, but you'll learn as we go thru this you'll want to go with a tool that has integrations with the assets you utilize - again when you can automate it, then you'll find it always to be more accurate.

CIS Safeguard 1.1 is required for Implementation Groups 1, 2, and 3.

Need help getting started with your Policy?  Download a Asset Management Template here!

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-secureit-activity-7067238255586365440-jg9g?utm_source=share&utm_medium=member_desktop 

CIS Controls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.  

The latest release of the CIS Controls is version eight, which was published in 2021. The list is still prioritized in order of importance, but there are some notable changes to the controls and their order. The controls are now task-focused and combined by activities broken down into 18 Controls within three implementation groups.

Implementation Groups

An Implementation Group 1 (IG1) enterprise is small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel. The principal concern of these enterprises is to keep the business operational, as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information.

CIS Control 1: Inventory and Control of Enterprise Assets

A comprehensive view of the devices on your network is the first step in reducing your organization’s attack surface. Use both active and passive asset discovery solutions on an ongoing basis to monitor your inventory and make sure all hardware is accounted for.

• 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory [IG1] [IG2] [IG3]
• 1.2 - Address Unauthorized Assets [IG1] [IG2] [IG3]
• 1.3 - Utilize an Active Discovery Tool [IG2] [IG3]
• 1.4 - Use Dynamic Host Configuration Protocol (DHCP) Logging to update Enterprise Asset Inventory [IG2] [IG3]
• 1.5 - Use a Passive Asset Discovery Tool [IG3]

CIS Control 2: Inventory and Control of Software Assets

Another one of the top controls also deals with asset discovery, making network inventorying the single most critical step you can take to harden your system. After all, you can’t keep track of assets that you don’t know you have on your network.

• 2.1 - Establish and Maintain a Software Inventory [IG1] [IG2] [IG3]
• 2.2 - Ensure Authorized Software is Currently Supported [IG1] [IG2] [IG3]
• 2.3 - Address Unauthorized Software [IG1] [IG2] [IG3]
• 2.4 - Utilize Automated Software Inventory Tools [IG2] [IG3]
• 2.5 - Allowlist Authorized Software [IG2] [IG3]
• 2.6 - Allowlist Authorized Libraries [IG2] [IG3]
• 2.7 - Allowlist Authorized Scripts [IG3]

CIS Control 3: Data Protection

A comprehensive data management plan incorporates the answers to these questions with policy decisions and incident response procedures. Knowing what data an enterprise produces or consumes as well as being able to classify it based on sensitivity are the keystones of such a plan. Despite its simple name, this is one of the more complex and difficult controls to put into practice thanks to ongoing processes like inventorying sensitive information.

• 3.1 - Establish and Maintain a Data Management Process [IG1] [IG2] [IG3]
• 3.2 - Establish and Maintain a Data Inventory [IG1] [IG2] [IG3]
• 3.3 - Configure Data Access Control Lists [IG1] [IG2] [IG3]
• 3.4 - Enforce Data Retention [IG1] [IG2] [IG3]
• 3.5 - Securely Dispose of Data [IG1] [IG2] [IG3]
• 3.6 - Encrypt Data on End-User Devices [IG1] [IG2] [IG3]
• 3.7 - Establish and Maintain a Data Classification Scheme [IG2] [IG3]
• 3.8 - Document Data Flows [IG2] [IG3]
• 3.9 - Encrypt Data on Removable Media [IG2] [IG3]
• 3.10 - Encrypt Sensitive Data in Transit [IG2] [IG3]
• 3.11 - Encrypt Sensitive Data at Rest [IG2] [IG3]
• 3.12 - Segment Data Processing and Storage Based on Sensitivity [IG2] [IG3]
• 3.13 - Deploy a Data Loss Prevention Solution [IG3]
• 3.14 - Log Sensitive Data Access [IG3]

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Leverage file integrity monitoring (FIM) to keep track of configuration files, master images, and more. This control speaks to the need for automating configuration monitoring systems so that departures from known baselines trigger security alerts. The systems in scope under this control include mobile devices, laptops, workstations, servers, and other devices.

• 4.1 - Establish and Maintain a Secure Configuration Process [IG1] [IG2] [IG3]
• 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure [IG1] [IG2] [IG3]
• 4.3 - Configure Automatic Session Looking on Enterprise Assets [IG1] [IG2] [IG3]
• 4.4 - Implement and Manage a Firewall on Servers [IG1] [IG2] [IG3]
• 4.5 - Implement and Manage a Firewall on End-User Devices [IG1] [IG2] [IG3]
• 4.6 - Securely Manage Enterprise Assets and Software [IG1] [IG2] [IG3]
• 4.7 - Manage Default Accounts on Enterprise Assets and Software [IG1] [IG2] [IG3]
• 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software [IG2] [IG3]
• 4.9 - Configure Trusted DNS Servers on Enterprise Assets [IG2] [IG3]
• 4.10 - Enforce Automatic Device Lockout on Portable End-User Devices [IG2] [IG3]
• 4.11 - Enforce Remote Wipe Capability on Portable End-User Devices [IG2] [IG3]
• 4.12 - Separate Enterprise Workspaces on Mobile End-User Devices [IG3]

CIS Control 5: Account Management

In order to keep valid credentials out of hackers’ hands, you must have a system in place to control authentication mechanisms. Administrative credentials are a prime target for cybercriminals. Luckily, there are several steps you can take to safeguard them, such as keeping a detailed inventory of admin accounts and changing default passwords. Monitoring and controlling accounts makes it much harder for malicious actors to successfully attack a company and steal or damage assets.

• 5.1 - Establish and Maintain an Inventory of Accounts [IG1] [IG2] [IG3]
• 5.2 - Use Unique Passwords [IG1] [IG2] [IG3]
• 5.3 - Disable Dormant Accounts [IG1] [IG2] [IG3]
• 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts [IG1] [IG2] [IG3]
• 5.5 - Establish and Maintain an Inventory of Service Accounts [IG2] [IG3]
• 5.6 - Centralize Account Management [IG2] [IG3]

CIS Control 6: Access Control Management

The first step in implementing this control is inventorying your network’s wireless access points. From there, the control takes a deep dive into mitigating all types of wireless access risks. By encrypting information in transit and disabling communication between workstations, you can also start to limit potential security incidents that can occur when data privileges are overly lax.

• 6.1 - Establish an Access Granting Process [IG1] [IG2] [IG3]
• 6.2 - Establish an Access Revoking Process [IG1] [IG2] [IG3]
• 6.3 - Require MFA for Externally-Exposed Applications [IG1] [IG2] [IG3]
• 6.4 - Require MFA for Remote Network Access [IG1] [IG2] [IG3]
• 6.5 - Require MFA for Administrative Access [IG1] [IG2] [IG3]
• 6.6 - Establish and Maintain an Inventory of Authentication and Authorization Systems [[IG2] [IG3]
• 6.7 - Centralize Access Control [IG2] [IG3]
• 6.8 - Define and Maintain Role-Based Access Control [IG3]

CIS Control 7: Continuous Vulnerability Management

A major challenge in cybersecurity involves keeping up with all the common vulnerabilities and exposures (CVEs) identified in real time around the world. Effective security programs have to keep up with a plethora of new vulnerabilities every day. CIS lists continuous vulnerability assessment and remediation as a key part of risk and governance programs.

• 7.1 - Establish and Maintain a Vulnerability Management Process  [IG1] [IG2] [IG3]
• 7.2 - Establish and Maintain a Remediation Process [IG1] [IG2] [IG3]
• 7.3 - Perform Automated Operating System Patch Management [IG1] [IG2] [IG3]
• 7.4 - Perform Automated Application Patch Management [IG1] [IG2] [IG3]
• 7.5 - Perform Automated Vulnerability Scans of Internal Enterprise Assets [IG2] [IG3]
• 7.6 - Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets [IG2] [IG3]
• 7.7 - Remediate Detected Vulnerabilities [IG2] [IG3]

CIS Control 8: Audit Log Management

System logs provide an accurate account of all activity on your network. This means that in the event of a cybersecurity incident, proper log management practices will give you all the data you need about the who, what, where, when, and how of the event in question. Security teams must pay attention to logs and use them in conjunction with tools that are designed to analyze log information and generate actionable management guidance.

CIS Control 9: Email and Web Browser Protections

There are more security threats in email and web browsers than phishing alone. Even a single pixel in an email image can give cybercriminals the information they need in order to carry out an attack. Attackers frequently use web browsers and email clients as entry points for code exploitation and social engineering, and controls need to be implemented to protect against interactions with untrusted environments.

CIS Control 10: Malware Defenses

Increasing ransomware attacks necessitate that organizations bolster their malware defenses. Make sure your antivirus tools integrate well with the rest of your security toolchain. Implement anti-malware software and ensure that it is kept regularly updated. This control also involves disabling certain functions, such as autorun and autoplay for removable media.

CIS Control 11: Data Recovery

Organizations must have a strong plan for dealing with the recovery of lost data should preventive controls fail. Are you performing regular, automated backups? Are you protecting your backed-up data? Ensuring proper data recovery capabilities will protect you from threats like ransomware. It’s also important to practice and test restoring your data so you will be prepared in the event of actual data loss.

CIS Control 12: Network Infrastructure Management

Implementing this control will help you reduce your attack surface by way of tactics like automated port scanning and application firewalls. Network devices can be viewed as the gateways to your enterprise, whether physical or virtual. Proper administration and secure configuration of routers, switches, firewalls, and other network devices is essential to managing ingress and egress filtering rules for enterprise policy-based protection.

CIS Control 13: Network Monitoring and Defense

This control involves centralizing security event alerting, deploying host-based intrusion detection systems, using a network intrusion detection system, and more. Network monitoring and defense must be viewed as an ongoing process that is given substantial attention by security teams. Safeguards such as network segmentation and application layer filtering will help ensure that networks stay hardened against attacks.

CIS Control 14: Security Awareness and Skills Training

Security training should be a bigger priority at most organizations, due in part to the widening cybersecurity skills gap. This control also emphasizes the need for ongoing security training rather than one-time engagements. When employees understand how to practice stringent cyber hygiene, they are much harder to exploit by way of phishing and social engineering attacks.

CIS Control 15: Service Provider Management

Most organizations entrust certain processes and functions to third-party service providers who frequently have access to sensitive data. Unfortunately, service providers have become an attack vector for cybercriminals, so managing the security of your organization’s service providers is now a necessity. And this isn’t just for security’s sake; many compliance standards, HIPAA and PCI for example, require compliance to cover third-party service providers.

CIS Control 16: Application Software Security

Code developed in-house needs security assessments through processes like static and dynamic security analysis to uncover hidden vulnerabilities. The most popular target for hackers is your application base, so it’s essential to implement a comprehensive program of application security controls. This should include scanning, testing, and software development lifecycle (SDLC) controls.

CIS Control 17: Incident Response Management

This control helps you put strategies in place to plan and test for cybersecurity incidents so that you’re not left scrambling when they occur. Know who at your organization is responsible for handling incidents and what processes they’ll use to mitigate them. It’s also crucial to conduct post-incident reviews to understand what happened and how to prevent a repeat occurrence.

CIS Control 18: Penetration Testing

Regular penetration testing helps you identify vulnerabilities and attack vectors that would otherwise go unknown until discovered by malicious actors. It’s an important aspect of discovery and identifying potential critical vulnerabilities within your organizations external network, internal network, applications, or systems.

Need help implementing?

The 18 security controls can create a framework that will help you protect your organization and data from cyber attack.  Scott has utilized the CIS Controls framework to create the foundational cybersecurity programs at more than 50 organizations across the globe.  Message This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more how Scott can help your organization implement CIS Controls today.